How Ad Trackers Make Cryptocurrency Transactions Less Private

Researchers from Princeton University have released their findings on how online ad trackers can compromise the privacy of cryptocurrency transactions. The title of the new research paper is, “When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies.” The privacy issues occurred on over 100 online merchants from over 20 countries that accepted cryptocurrencies. Cookies and other information obtained by ad trackers that are used on e-commerce sites can reveal the identity of customers who pay with cryptocurrencies. Some of the information online stores share with third party advertisers can include purchases a user has made, how much they have spent, as well as contact and shipping information. Even for online stores which do not collect much information about, users could obtain incriminating information if a user purchases a product with a cryptocurrency and then later purchases a product from the site using a credit card.

Some of the larger online vendors which accept cryptocurrencies include Overstock, Newegg, and Microsoft, all of which utilize third party ad trackers. Google’s ad tracker is said to be installed on nearly 80% of sites on the internet, according to the researchers from Princeton. Some of the major ad trackers, such as Google and Facebook, also obtain information directly from user accounts on their services, but most ad trackers do not have that advantage.

According to the researchers, nearly all but a few of the e-commerce sites that were studied gave third party scripts access to at least some of their customers personal information. Over 100 of the 130 e-commerce sites that accepted cryptocurrency also gave access to data about cryptocurrency transactions made by customers. Over 50 of the e-commerce sites exposed payment data to third party trackers through leaks in their shopping cart scripts. Over 30 of the e-commerce sites leaked customer e-mail addresses to third party trackers. A dozen of the e-commerce sites examined by the researchers directly leaked customer Bitcoin addresses to third party trackers. 13 of the e-commerce sites the researchers observed leaked shipping address information to third party trackers. The researchers from Princeton also tested the effectiveness of cluster intersection attacks against coin mixing. They found that when an attacker had some additional information, such as if a person made multiple cryptocurrency transactions, they could reverse the privacy enhancing effects of coin mixers.

People can protect themselves from the attacks the researchers used by utilizing privacy and anonymity software such as the Tor Browser and the Brave web browser, or add-ons such as uBlock Origin, Disconnect.me, and Ghostery. The version of Tor Browser which comes installed with the TAILS operating system is bundled with uBlock Origin installed. TAILS operating system itself is excellent to use to help protect your privacy. Firefox now incorporates tracking protection, using either the basic blocklist or the strict blocklist from Disconnect.me, for private browsing, but tracking protection can also be turned on for regular browsing sessions as well. Blocking third party cookies also helps. Another browser add-on which can help fight against third party ad trackers is to use the NoScript add-on. NoScript comes bundled with the Tor Browser.

Unfortunately for some online stores, some javascripts may need to be temporarily enabled in order to make a purchase. Third party trackers can use malicious javascript to extract bitcoin addresses from e-commerce sites. While defending against third party trackers can significantly help protect privacy, the researchers note that the merchants and payment processors themselves can be potential adversaries. The researchers also noted that 25 out of the 130 e-commerce sites that were observed leaked information to third party trackers even when certain forms of tracking protection were used. It appears that financial privacy remains under attack by governments, corporations, and hackers, and until e-commerce sites begin to take the securing of their customer’s private information seriously, users will have to be even more vigilant and work harder to protect the privacy of their cryptocurrency transactions.